<!--
  This file is a part of the open-eBackup project.
  This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0.
  If a copy of the MPL was not distributed with this file, You can obtain one at
  http://mozilla.org/MPL/2.0/.
  
  Copyright (c) [2024] Huawei Technologies Co.,Ltd.
  
  THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
  EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
  MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
  -->


<!DOCTYPE html
  PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="zh-cn" xml:lang="zh-cn">
<head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="DC.Type" content="topic">
<meta name="DC.Title" content="替换客户端的SSL证书（非Windows OS）">
<meta name="DC.Format" content="XHTML">
<meta name="DC.Identifier" content="ZH-CN_TOPIC_0000002164604142">
<meta name="DC.Language" content="zh-cn">
<link rel="stylesheet" type="text/css" href="public_sys-resources/commonltr.css">
<title>替换客户端的SSL证书（非Windows OS）</title>
</head>
<body style="clear:both; padding-left:10px; padding-top:5px; padding-right:5px; padding-bottom:5px"><a name="ZH-CN_TOPIC_0000002164604142"></a><a name="ZH-CN_TOPIC_0000002164604142"></a>

<h1 class="topictitle1">替换客户端的SSL证书（非Windows OS）</h1>
<div><div class="p">主机已安装客户端软件，当存在以下场景时参考本节替换客户端的SSL证书：<ul><li>客户端证书即将过期。</li><li>客户端证书与服务端的证书不是同一CA证书签发。</li></ul>
</div>
<div class="section"><h4 class="sectiontitle">前提条件</h4><ul><li>客户端证书和服务端证书必须为同一CA证书签发。</li><li>已获取证书文件：CA证书文件ca.crt.pem，客户端证书文件及其私钥文件client.crt.pem，client.pem。</li></ul>
</div>
<div class="section"><h4 class="sectiontitle">操作步骤</h4><ol><li><span>使用PuTTY，以系统管理员账户登录客户端所在的主机。</span></li><li><span>将证书文件上传至指定目录，所有文件放在同一文件夹下。</span></li><li><span>执行以下命令进入<span class="filepath">“updateCert.sh”</span>脚本所在目录。</span><p><pre class="screen">cd /opt/<span style="color:#494949;">DataBackup</span>/ProtectClient</pre>
</p></li><li><span>执行以下命令运行脚本。</span><p><pre class="screen">sh updateCert.sh</pre>
<p>按照回显提示依次输入证书文件所在路径以及私钥文件的密码。</p>
</p></li><li><span>替换客户端证书后，部分场景需要替换服务端证书。</span><p><div class="note"><img src="public_sys-resources/note_3.0-zh-cn.png"><span class="notetitle"> </span><div class="notebody"><ul><li>替换客户端证书后，如果客户端证书与服务端证书不是同一CA证书签发，需要替换服务端证书，具体操作请参考<a href="zh-cn_topic_0000002164604150.html">导入证书</a>。</li><li>如果替换证书过程出现异常，系统会自动执行回退；如果用户自行中止了证书替换，需要手动执行回退，具体操作可参考<a href="#ZH-CN_TOPIC_0000002164604142__zh-cn_topic_0000001311093349_section14663181113118">回退证书</a>。</li><li>替换客户端证书后，建议您导入<span>OceanProtect</span>的证书吊销列表文件，如果<span>OceanProtect</span>的证书已被吊销，将中断客户端与<span>OceanProtect</span>的通信。具体操作请参见<a href="#ZH-CN_TOPIC_0000002164604142__section1273603214473">导入证书吊销列表文件</a>。</li></ul>
</div></div>
</p></li></ol>
</div>
<div class="section" id="ZH-CN_TOPIC_0000002164604142__zh-cn_topic_0000001311093349_section14663181113118"><a name="ZH-CN_TOPIC_0000002164604142__zh-cn_topic_0000001311093349_section14663181113118"></a><a name="zh-cn_topic_0000001311093349_section14663181113118"></a><h4 class="sectiontitle">回退证书</h4><ol><li><span>使用PuTTY，以系统管理员账户登录客户端所在的主机。</span></li><li><span>依次执行以下命令将替换前的证书拷贝至客户端安装路径。</span><p><pre class="screen">cp -f /opt/<span style="color:#494949;">DataBackup</span>/ProtectClient/tmpPems/ProtectClient-E/bcmagentca.pem /opt/<span style="color:#494949;">DataBackup</span>/ProtectClient/ProtectClient-E/bin/nginx/conf/bcmagentca.pem</pre>
<pre class="screen">cp -f /opt/<span style="color:#494949;">DataBackup</span>/ProtectClient/tmpPems/ProtectClient-E/server.pem /opt/<span style="color:#494949;">DataBackup</span>/ProtectClient/ProtectClient-E/bin/nginx/conf/server.pem</pre>
<pre class="screen">cp -f /opt/<span style="color:#494949;">DataBackup</span>/ProtectClient/tmpPems/ProtectClient-E/server.key /opt/<span style="color:#494949;">DataBackup</span>/ProtectClient/ProtectClient-E/bin/nginx/conf/server.key</pre>
<pre class="screen">cp -f /opt/<span style="color:#494949;">DataBackup</span>/ProtectClient/tmpPems/ProtectClient-E/agent_cfg.xml /opt/<span style="color:#494949;">DataBackup</span>/ProtectClient/ProtectClient-E/conf/</pre>
</p></li><li><span>执行以下命令进入客户端脚本所在目录。</span><p><pre class="screen">cd /opt/<span style="color:#494949;">DataBackup</span>/ProtectClient/</pre>
</p></li><li><span>依次执行以下命令重启客户端服务。</span><p><pre class="screen">sh stop.sh</pre>
<pre class="screen">sh start.sh</pre>
</p></li></ol>
</div>
<div class="section" id="ZH-CN_TOPIC_0000002164604142__section1273603214473"><a name="ZH-CN_TOPIC_0000002164604142__section1273603214473"></a><a name="section1273603214473"></a><h4 class="sectiontitle">导入证书吊销列表文件</h4><ol><li><span>使用PuTTY，以系统管理员账户登录客户端所在的主机。</span></li><li id="ZH-CN_TOPIC_0000002164604142__li788487497"><a name="ZH-CN_TOPIC_0000002164604142__li788487497"></a><a name="li788487497"></a><span>使用WinSCP，将待导入的证书吊销列表文件拷贝至客户端所在的主机中的任意目录。</span></li><li><span>依次执行以下命令导入证书吊销列表。其中<span class="uicontrol">“证书吊销列表文件路径”</span>为<a href="#ZH-CN_TOPIC_0000002164604142__li788487497">2</a>中拷贝的文件路径。</span><p><pre class="screen">cd /opt/<span style="color:#494949;">DataBackup</span>/ProtectClient</pre>
<pre class="screen">sh crl_update.sh -i <em>证书吊销列表文件路径</em></pre>
<div class="p">如果回显如下信息，表示导入证书吊销列表文件成功。<pre class="screen">Exec script succeed.</pre>
</div>
</p></li></ol>
</div>
</div>

<div class="hrcopyright"><hr size="2"></div><div class="hwcopyright">版权所有 &copy; 华为技术有限公司</div></body>
</html>